One-Click Installs: Wordpress 2.1.2 released, critical update
A pretty bad security exploit made it into Wordpress version 2.1.1, so if you upgraded to that within the last couple of days, make sure to upgrade to 2.1.2 as soon as possible. More information is available from the WP staff:
WordPress 2.1.1 dangerous, upgrade to 2.1.2
If you are unable to upgrade your install of Wordpress 2.1.1 at this time, you can also just set up add a .htaccess rule to block access to “theme.php” and “feed.php”, with a rule something like this:
<Files theme.php>
order allow,deny
deny from all
</Files>
<Files feed.php>
order allow,deny
deny from all
</Files>
Update at 5:54pm pst by JamesH; The rush of our vigilant and security conscious customers to upgrade their blogs has put something of a strain on our one-click installer, and so there’s currently a backlog of one-click installs and upgrades. Right now we’re estimating it should be caught up within three hours.
.
March 2nd, 2007 at 3:27 pm
I guess this is why the one-click-installs I put in for Word Press earlier haven’t been done yet. I’m not complaining, this is better than having to go back and fix them later.
March 2nd, 2007 at 3:43 pm
Well, I’ve submitted the request to do the upgrade almost an hour ago, but still nothing. I’m guessing the one-click-install server is rather backed up with work?
March 2nd, 2007 at 4:17 pm
I can’t get new wp via on-click-installs too.
March 2nd, 2007 at 4:32 pm
@Charlie
It’s done that to me a lot too. Some times after waiting hours it does nothing.
March 2nd, 2007 at 4:40 pm
If you read the WordPress announcement the only effected files were those in the WordPress 2.1.1 download. The SVN files were not impacted. Does One-Click Installs get it’s data from the download or from SVN?
March 2nd, 2007 at 4:54 pm
I checked the files in question on my 2.1.1 install - wp-includes/theme.php and wp-includes/feed.php - and they were in fact affected. (function comment_text_phpfilter in the former and function get_theme_mcommand in the latter.) I removed those functions - and the lines where they were invoked - since for me as well the one-click-install doesn’t seem to do anything.
March 2nd, 2007 at 4:54 pm
Oops… swap ‘former’ and ‘latter’ in my previous comment. :-[
March 2nd, 2007 at 4:57 pm
Hmm, I can’t do *anything* now on the Panel… It’s stuck on the one-click-install screen, where it keeps telling me:
! Error!
You had 1 error!
Please fix it below:
Upgrade or remove previously installed software:
Please click a link below!
Clicking any link, below or above (even logout) doesn’t help.
March 2nd, 2007 at 5:26 pm
Michael, is a bug in Control Panel and you must to delete from address bar anything after “https://panel.dreamhost.com”. Press enter and you will get back the control of your CP.
March 2nd, 2007 at 5:38 pm
I can not get the one click installer to work either. I am having the same error as Michael.
March 2nd, 2007 at 5:47 pm
I’m also waiting for an abnormally long amount of time for the one-click install to happen.
March 2nd, 2007 at 6:59 pm
About 1.5 hours had past when the robot said that the upgrade will be done in 5-10 minutes, but no upgrade had made until now.
March 2nd, 2007 at 7:17 pm
It took me a while to get the one-click upgrade to 2.1.1 — and then I saw the news to update to 2.1.2. I’m just glad you guys were able to roll it out so quickly. Kudos.
March 2nd, 2007 at 7:44 pm
I’m seeing the same bug as Michael Schaap
(1) Click on the one click upgrade for Wordpress
(2) The status message appears at the top of the page stating that they are scheduling the upgrade
(3) Click on the Support menu on the left
(4) Click on Support History and I get an error at the top of the page
! Error!
You had 1 error!
Please fix it below
The page does not change to Support History. The upgrade is scheduled message goes away.
I have to go back to the base URL to use the panel after this error occurs (e.g. start from http://panel.dreamhost.com)
March 2nd, 2007 at 8:35 pm
You know what, folks? I have to tell you that installing WordPress manually is really no big deal if you can’t wait. The instructions are clear-cut, and I have not used the one-click technique, since I brought everything over from another host.
Yes, it would be nice to have a real installer, but copying a bunch of files over (and making sure you don’t overwrite your themes, is not so hard to do.
Peace,
Gene
March 2nd, 2007 at 10:19 pm
You guys can make sure that one-click installer has completed its job until you receive the mail from DreamHost Installer Robot. So keep looking at your mailbox.
–
Qui-Gon: Patience, my blue friend.
March 3rd, 2007 at 12:15 am
The installer did give the bug that Jim Phelps report above, though the actual install went through fine, even if a bit late.
March 3rd, 2007 at 2:13 am
I don’t know if I was affected or not, When Wordpress intially came out with the v2.1.1 upgrade, about 3 weeks ago, I upgraded my site within 4 hours of the upgrade Notification, I have since upgraded to Wordpress 2.1.2 just to be safe anyway. But the question remains, what and if any other files could have been changed due to this hack? - I have a ton of plugins, all of whch I keep in a separate folder on my Mac in case I need to upgrade or etc,
I think it would be wise to also re-install/upload all of your plugins too…..
How the F did this happen anyway?
March 3rd, 2007 at 4:09 am
it’s working great for me and my 12 hosted sites.
thumbs up on this!
March 3rd, 2007 at 4:34 am
The central database appears to be down. Fix please.
March 3rd, 2007 at 4:37 am
plz fix sentro panelz so we can update ar wp
thx
March 3rd, 2007 at 4:57 am
I upgraded even though I never got around to 2.1.1. Unfortunately my main index template and a few other templates were messed up a little in the process. Anyone else having this issue? To make matters worse, panel.dreamhost.com is also down. Ugh!
March 3rd, 2007 at 5:12 am
Why don’t you make sure people can post in IE, too? My friend wants a WordPress site, and IE only works on her computer (supposedly), and she can never post if it’s from the one-click install. It’s a pain for me to try to upgrade my download of WP, so why not fix the IE issue?
March 3rd, 2007 at 5:12 am
Oh, and my mail server is down, too.
March 3rd, 2007 at 5:21 am
my website down, does this relate to your actions on the centrl database?
it’s a totally static site, not database connections at all, but it’s still not working.
when you access it from the browser, the server just returns a blank page with a skeleton of HTML.
March 3rd, 2007 at 5:26 am
You guys are on the ball, thanks!!
March 3rd, 2007 at 7:02 am
I have problem while accessing my sites, and also the dreamhost page.
Anybody here knows if Dreamhost has a generalized problem or it is a network problem from Brazil again!?
March 3rd, 2007 at 7:13 am
Hey, everyone.
I have upgraded to 2.1.2., and my blog is still offline. I keep receiving a 500 Internal Server Error. However, this is getting stranger as I
have noticed…
(1) I can access my WP Dashboard with no problems.
(2) My WP Dashboard is reading incoming hits, but it’s from these incoming hits I hear people telling me blog is offline. So while the blog does not show up, the Dashboard sees their hits.
I cannot post anything new on the blog (even with Dashboard running) and my podcast has gone over two days without a host blog. I really could use some help here.
This server upgrade — as I’m finding out seems to be the cause of the on-again-off-again service — was DH’s call, even though before the upgrade everything was working seamlessly. Sorry if I sound snippy when I ask “Why fix it when it’s not broken?” but my blog’s been offline for two days and the
best alternative I have received from WordPress’ Support is “Delete everything and then start over.” which is not much of an alternative in my eyes. So DH says “We do not provide support for WP…” but as the upgrade was all their doing, I could use some help.
March 3rd, 2007 at 7:57 am
Well, they weren’t kidding about the backlog: it was nearly midnight here (10 pm on the Left Coast) when they got my pair of 2.1.2 upgrades done, and I got all my tweaks replaced this morning. (Yes, it might actually be easier to do the upgrade myself, but it was Friday night and I was worn to a frazzle already.)
I have seen no issues with plugins yet, but then I use only a handful.
March 3rd, 2007 at 12:26 pm
One Click Install doesn’t work !!!!!!
I tryed to install Wordpress and… nothing happen…
why????
I do everything ok… but one click install doesn’t work….
March 3rd, 2007 at 4:38 pm
I don’t want to minimize possible risks, but really installing WordPress manually is no big deal.
I came here from another host, already set up with two WP databases and two installations to run http://www.macnightowl.com.
The simplest way is this:
1. Take note of the contents of the folder that contains your WP installation.
2. Delete all the WP files and folders except for wp-config.php and wp-content, which will handle your setup, themes and plug-ins. Take care to compare the contents of the WP files you download and the ones you have installed, so you don’t do the wrong thing.
3. Once the file copying process is done, launch the readme.html file, and follow the instructions with regard to upgrading.
4. After it’s done, you should be ready to roll.
Total time: 10 minutes flat. As I said, if you’re careful about what you delete and follow the super-simple upgrade instructions, you will do fine with the manual install. I can’t say you’ll be able to use one-click after that, but to me it doesn’t matter.
Peace,
Gene
March 3rd, 2007 at 5:37 pm
thx u works purrfect!
March 3rd, 2007 at 5:38 pm
oh, had to apply template again, but that was all fanks dh!
March 3rd, 2007 at 9:23 pm
Hey Tee - you’d get a lot more response if you posted in the dreamhost forums, and not the status pages…
If you nuke your WP folder and redeploy the packages while leaving your database alone - you’d should be right back where you left off.
Or you could restore your WP folder from the previous day or week’s backup… and try the upgrade again.
You have lots of options, but DH is right - they don’t support software they didn’t write. The one touch installer/upgrade is a gray area, since it’s a script they build to distribute upgrades quickly for users… but in the end, it’s still not something you pay for.
March 3rd, 2007 at 10:01 pm
I don’t access my site - wordpress database error so updated to 2.1.2 and now still can’t access it. I hope something is done to fix this. I’m on “Willy” server.
March 4th, 2007 at 2:23 am
Hi.
Your panel isn’t working. And when I try to check my email, I get
Warning: mysql_connect() [function.mysql-connect]: Too many connections in /usr/local/squirrelmail-1.4.9a/plugins/dreamhost_virtualhosts/setup.php on line 189
1044: Access denied for user ’squirrelmail’@'192.168.10.0/255.255.255.0′ to database ‘dreamhost’
March 4th, 2007 at 2:24 am
One more time DOWN!!!
You´re horrible!
I´m looking for new hosting NOW!
March 4th, 2007 at 3:00 am
the panel isn’t working
March 4th, 2007 at 4:58 am
http://www.beyazblog.com I New
March 4th, 2007 at 8:58 am
The new control panel looks great, DH, thanks for it!
And I’ve never seen a bigger bunch of ding-dongs who couldn’t manage to get out of their own way than all the idiots complaining about the panel “not working” or the install allegedly messing up their blogs.
The old panel was a little buggy. It didn’t take genius to figure that out. The new panel has resolved the issue.
And in re: the database issues you may be having, learn to read. The confirmation e-mail gives you the URL to an upgrade link you need to click in order to update your database and complete the install. Do DH techs have to come to your padded rooms and wipe your asses for you, too?
March 4th, 2007 at 10:53 am
That’s assuming the confirmation email ever arrives! My control panel says “Already v2.1.2!” yet the confirmation email hasn’t arrived a couple of hours after upgrading.
March 4th, 2007 at 11:14 am
I agree with Gene about upgrading manually. Takes no more than 2 seconds.
March 4th, 2007 at 12:16 pm
Just updated my word press site….
Error 404 (Page not found)
There’s been a problem finding the page you’re looking for. Apologies. Probably . . .
* the page your looking for has moved
* your referring site gave you an incorrect address
* something has gone terribly wrong
Please use the search box and see if you can’t find what you’re looking for.
Great, huh?
March 4th, 2007 at 1:01 pm
mysql database connections were all timing out for a while there… they seem to be back online now.
March 4th, 2007 at 5:07 pm
@hardedge
Try deleting the contents of the cache folder in /wp-content/cache/
That’s what I did after upgrading, and the 404 errors went away.
March 4th, 2007 at 7:14 pm
panel looks great? dude, you should try being legally blind and color blind, its impossible,, just like there dark text on dark background image verification (has buddy give me the code now since i cant see it) nice,, really nice..
March 4th, 2007 at 9:21 pm
Why don’t manually update? It’s not that hassle.
March 5th, 2007 at 3:58 am
Now the https://panel.dreamhost.com/ is completely unavailable - can’t even log on.. and no notice about whatever this issue is.. evian server.
Software error:
Can’t call method “query” on an undefined value at /usr/local/ndn/web/dhwebpanel/index.cgi line 63.
Wow.. still not as bad as the problems I had with HostMonster which prompted me to move to DH recently, but getting damn close..
March 5th, 2007 at 4:14 am
Same problem here as demonsurfer.
Panel not working and webmail offline as well.
March 5th, 2007 at 7:27 am
@denitu: Then you should read the documentation, which also gives the link: http://yourdomain.com/blogdirectory/wp-admin/upgrade.php
@paul: WTF are you talking about? Is that even English?
@demonsurfer, @Fernando: The panel works fine. You’re both morons.
March 5th, 2007 at 10:28 am
@doug,, yeah it is.. dont start on me dude.. ive laughd at your witty comments all the time bro. funny stuff. really.
but, try being legally blind on the internet. its a bish. i deal. but dreamhost, come on man. change the colors a few shadez and make the fonts like 2 points bigger.
and yeah i was wrong on the verification thing. thats on the blog.dreamhost site. my bad.
thats my ONLY complaint. other then that dreamhost is da bomb. no seriously. WAY better than other hosts ive had. all the moaning and groaning about panel access gives me a big laugh. i never have to log in to panel to “update” my site.. i have this nifty thing calld an FTP app, and i use it. i do my html BY HAND none of that click and drag bs. grow up people, learn to do crap manually instead of depending on scripts and WYSWYG editors. geez.
@doug again. no disrespect meant bro. i really do enjoy your witty comments. your a real down to earth guy.
March 5th, 2007 at 11:59 am
@paul
I understand where your coming from with your comments on the font size. I personally find them fine. The trouble is you can’t please everyone, and that is why you yourself can change the font size. Simple go to View > Text Size > Increase
I know that both FF and IE has this ability so everyone can use this if they have problems.
If you also have a problem with the color, simply turn off CSS. Although not as nice, the panel still functions without CSS.
March 5th, 2007 at 12:30 pm
@ Doug : don’t be such a wanker - I know you think you’re ‘witty’, and sometimes you are, but calling people morons because they commented there was a panel outage when there actually WAS a panel outage at the time does not make us morons, it just makes you sound like a prat with way too much time on your hands trying a little too hard to be witty. Lay the abuse where it’s deserved, not where it isn’t. DreamHost have enough problems at the moment with customer satisfaction without you adding abuse on top of it. Your owner needs to put you on a shorter leash, and add a muzzle too.
@ DH : the panel is now working for me on the server I mentioned earlier, thanks.
March 5th, 2007 at 12:56 pm
@demonsurfer - the panel working or not has nothing to do with what server you’re on - the panel’s on its own space.
99% of the time when people complain that the panel is down it isn’t. I’ve seen people post that the panel was down when at that exact time I had it open and working in another tab on my browser. Morons are morons.
March 5th, 2007 at 3:41 pm
Yep, so, chaps, why the #$*&^%# is my webmail running at an absolute snail’s pace AGAIN?
Unbelievable.
March 5th, 2007 at 3:59 pm
Patrick, just a question: How does your email relate to WordPress? Just asking
Peace,
Gene
March 5th, 2007 at 4:57 pm
@ Brasscrest : I wasn’t the only one it was down for, as you’d know if you bothered to scroll back up before adding your two cents worth. I posted the error, so what was the point of your post? There was a problem, I wasn’t the only one to experience it, and presumably you were not on at the time, end of story. Yes you are right, morons are morons, here’s your sign, moron.
March 5th, 2007 at 4:58 pm
@ Patrick : careful, you’ll probably have a couple of these wankers telling you your email is not running slow at all and you’re a moron.
March 5th, 2007 at 7:38 pm
A good sign that Wordpress problems are gone is the completely unrelated talk about slow emaol :).
March 6th, 2007 at 4:20 am
The Turkey Tourism Dictionary
March 6th, 2007 at 4:20 am
http://www.beyazblog.com/turkey/
March 6th, 2007 at 4:56 am
What about it?
March 6th, 2007 at 9:45 am
All of mine database driven websites are slow or unavailable!
March 6th, 2007 at 11:24 am
server slow! >/
March 6th, 2007 at 1:29 pm
My email relates to Wordpress because the other threads say “Resolved: YES” on them, which is a load of #@$%…
March 6th, 2007 at 6:38 pm
Better yet:
–
order allow,deny
deny from all
–
Or you can:
–
RewriteCond %{QUERY_STRING} (ix|iz)
RewriteRule .* - [F]
–
See Also:
http://wordpress.org/support/topic/108512
March 6th, 2007 at 6:39 pm
Oops! Meant
>FilesMatch “(theme|feed)\.php$”<
order allow,deny
deny from all
>/FilesMatch<
http://www.askapache.com/2006/htaccess/htaccesselite-ultimate-htaccess-article.html/2/#sub-using-the-filesmatch-directive
March 6th, 2007 at 6:42 pm
Ahh
<FilesMatch “(theme|feed)\.php$”>
order allow,deny
deny from all
</FilesMatch>
March 7th, 2007 at 6:13 pm
Did Dreamhost’s one-click-install of 2.1.1 actually have the vulnerability?
I moved to svn-based updates a few releases ago. Dreamhost’s one click installer is great for initial setup, but svn beats it for updates.
October 25th, 2007 at 11:05 pm
Great job done! Dreamhost is the best hosting you can find!
November 30th, 2007 at 12:25 am
thx for this .